Linux Patcher
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Linux patching skill, but it should be reviewed carefully because it runs privileged updates across servers and contains shell-handling patterns that could let generated config or paths alter commands.
Only install this if you are comfortable giving OpenClaw controlled SSH and sudo-based patching access to your servers. Before production use, run dry-runs, test on one non-production or canary host, restrict sudoers and SSH keys, protect PatchMon credentials, and consider fixing the generated-config sourcing and Docker path quoting issues.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or unsafe PatchMon response could potentially turn host inventory data into local shell execution before patching begins.
Automatic mode generates a temporary shell config from the PatchMon query path and then executes it with `source`. If the generated file is influenced by malformed or compromised PatchMon data and is not strictly escaped, it could execute commands on the OpenClaw/control host.
TEMP_CONFIG=$(mktemp) ... "$SCRIPT_DIR/patchmon-query.sh" --output-config "$TEMP_CONFIG" ... source "$TEMP_CONFIG"
Do not source API-generated files. Prefer JSON output parsed with `jq`, validate host/user/path fields, and treat PatchMon data as data rather than shell code.
A bad or malicious Docker path could change the remote command that runs over SSH, and the prune step can remove unused Docker resources outside the intended compose project.
A Docker path that may come from arguments or generated host configuration is interpolated unquoted into a remote shell command, and full update mode also runs a broad Docker prune command.
DOCKER_PATH="${2:-}" ... ssh "$HOST" "cd $DOCKER_PATH && sudo docker compose pull" ... ssh "$HOST" "sudo docker system prune -af"Strictly validate and safely quote remote paths, use `cd --` with robust escaping, avoid shell interpolation where possible, and require explicit confirmation or opt-in for global Docker prune.
Anyone or anything that can use the configured OpenClaw environment and SSH key may be able to run privileged patching commands on configured servers.
The skill clearly discloses that it needs delegated server access and credentials. That is purpose-aligned for patching, but it grants significant authority across target hosts.
This skill requires: - **Passwordless sudo access** - **SSH key authentication** - **PatchMon credentials**
Use a dedicated patching user and SSH key, restrict sudoers rules as tightly as possible, protect PatchMon credentials with `chmod 600`, and start with dry-runs on non-production hosts.
A single faulty package update, Docker compose change, or path/config error could propagate across several servers during the same maintenance run.
Automatic mode iterates through all PatchMon-selected hosts and applies package or full Docker updates. This is expected for the skill, but a bad update or configuration issue can affect multiple servers in one run.
for host_entry in "${HOSTS[@]}"; do ... patch-host-full.sh ... patch-host-only.shUse dry-run first, patch in small batches or canaries, keep backups/snapshots, and run during a maintenance window with rollback plans.
If the remote installer or upstream repository is compromised, setup could run untrusted privileged code on monitored hosts.
The PatchMon setup reference includes a user-run remote installer executed with sudo. It is not shown as automatic skill execution, but it is a supply-chain/provenance risk users should verify.
curl -sSL https://raw.githubusercontent.com/PatchMon/PatchMon/main/agent/install.sh | sudo bash
Download and inspect installer scripts before running them, pin versions where possible, verify checksums/signatures if available, and avoid piping remote scripts directly into sudo shells.